[aur-general] TU Application -Thomas Hatch

Martin Peres martin.peres at free.fr
Wed Jan 5 17:13:31 EST 2011


Le 05/01/2011 22:54, Thomas S Hatch a écrit :
> On Wed, Jan 5, 2011 at 2:51 PM, Martin Peres<martin.peres at free.fr>  wrote:
>
>> Le 05/01/2011 22:39, Thomas S Hatch a écrit :
>>
>>   On Wed, Jan 5, 2011 at 2:33 PM, Martin Peres<martin.peres at free.fr>
>>>   wrote:
>>>
>>>   Le 05/01/2011 22:21, Thomas S Hatch a écrit :
>>>>   Oh, it is lower on my list, but I wanted to make SELinux more powerful
>>>> in
>>>>
>>>>> Arch too, I am one of the VERY few who not only know how to handle
>>>>> SELinux,
>>>>> and likes to use it :)
>>>>>
>>>>>   You WHAT? You like to use it? You must be a masochist then ;)
>>>> I've been working around and on it for 2 years now and I wouldn't use it
>>>> for any desktop (even though that's what I'm doing at work).
>>>>
>>>> Are you using the targeted mode or the strict one (I'm always using the
>>>> strict mode)?
>>>>
>>> Well of course you have to move in and around it using the strict mode! Do
>>> you know who developed that? The NSA, and don't tell them I said anything,
>>> but I don't trust those guys :)
>>>
>>> Personally, I would not use SELinux on a desktop, I think that SELinux is
>>> best suited for machines with static configurations that servers content
>>> often to the open internet. So with that said, SELinux is best for DNS
>>> servers, Mail servers, routers etc.
>>>
>>> And the strict policy is too strict, often it thinks that booting is a
>>> security violation!
>>>
>>> See what I mean though? Most people don't like it, personally, I do NOT
>>> endorse turning it on by default, I think that that is a bit crazy.
>>>
>> Oh sure, SELinux is simple on servers ;) My researchs are about dynamicaly
>> loading policy modules according to the current user's task. It works kind
>> of well.
>>
>> I've written some helpers to generate security policies automatically, it
>> makes you a working policy in less than 4 minutes (for firefox). You're done
>> in a little more than 10 minutes (test&  audit).
>>
>> Currently, I'm working on adding a memory access control in SELinux (just
>> for fun, we'll see how it works).
>>
>> I know all of this is crazy, hence the reason I'm kind of fed up with
>> SELinux even though it is really powerful!
>>
>> Anyway, I'm using Gentoo Hardened for my research. The only non-Arch OS I'm
>> using.
>>
> Wow, this sounds like great stuff! I would love to get my hands on it, this
> could make policy tuning a walk in the park!
>
> Is this open source? Can I see your code? What is it written in?
The automated policy creation is in Python. The other project that 
detects the user's activity and changes the SELinux modules of an 
application is written in C/C++/Qt, there are also patches needed for 
Firefox and claws-mail. The basic idea is defined here: 
http://mupuf.org/blog/article/39/ (read the article). I've done at least 
two major rewrites since then to add features and improve the 
configuration files.

I'll ask my employers (my teachers/researchers I'm working with) if they 
are ok with open sourcing the python auditer. The other research project 
will be released for sure but I'm still working on it and it is not 
ready for a public release yet)

There is still a lot of polishing to be done and I still have to write a 
paper on it to show the problem of automated policy creation and labelling.

If you want more info, please send me a mail ;) I'll keep you updated on 
this!

Good luck with your application :)

Martin


More information about the aur-general mailing list